Troubleshoot Cyware Agent Errors
This section is useful after a Cyware Agent installation to help analysts troubleshoot the related errors.
Ensure that the docker service is running on the instance. You can use the following command to verify the status of the docker service.
sudo systemctl status docker
If the docker service is not running, use the following command to start the docker service.
sudo systemctl enable docker sudo systemctl start docker sudo chmod 777 /var/run/docker.sock
You can use the commands provided in this section to verify the permissions for the Cyware Agent mount directory. The permissions are required for users to create new agents and upgrade agents in a specific mount directory.
Check the User ID of the Agent Mount Directory
The user ID should have 1000 permissions for the Cyware Agent mount directory to make changes. To check the user ID of the agent mount directory use the following command. Replace <path_to_agent_mount_directory> with the actual directory path.
stat -c '%u' <path_to_agent_mount_directory>
For example, stat -c '%u' /apps/cyware/new/prod_agent
The console should display 1000 as a response if you have permissions for the Cyware Agent mount directory.
Check the Group ID of the Agent Mount Directory
The group ID should have 1000 permissions for the Cyware Agent mount directory to make changes. To check the group ID of the agent mount directory, use the following command. Replace <path_to_agent_mount_directory> with the actual directory path.
stat -c '%g' <path_agent_mount_directory>
For example, stat -c '%g' /apps/cyware/new/prod_agent
The console should display 1000 as a response if you have permissions for the Cyware Agent mount directory.
Provide Permissions for Specific Mount Directory
To update permissions for the Cyware Agent mount directory, use the following command. Replace <path_to_agent_mount_directory> with the actual directory path.
chown -R 1000:1000 <path_to_agent_mount_directory>
For example, chown -R 1000:1000 /apps/cyware/new/prod_agent
You can verify if the Cyware Agent instance can connect to Orchestrate by checking the logs in the /apps/logs folder $MOUNT_DIRECTORY. For example, /apps/cyware/cyware_agent/apps/logs/application.log and /apps/cyware/cyware_agent/apps/logs/error.log.
The $MOUNT_DIRECTORY can be different for every event installation. In the above example, MOUNT_DIRECTORY=/apps/cyware/cyware_agent
Steps to verify the connection
To check the connectivity from the Cyware Agent to Orchestrate, follow these steps.
Run
tail -f $MOUNT_DIRECTORY/apps/logs/application.logto check the application logs.You will see a response as shown below.
2024-02-29 14:00:57,321 INFO TR-ID: MSG: Validating and Checking connectivity with https://cy.example.com/soarapi/openapi/ TRACEBACK: 2024-02-29 14:00:57,321 [INFO] app_log: Validating and Checking connectivity with https://cy.example.com/soarapi/openapi/ 2024-02-29 14:00:57,365 [DEBUG] urllib3.connectionpool: Starting new HTTPS connection (1): cy.cyware.com:443 2024-02-29 14:00:58,382 [DEBUG] urllib3.connectionpool: https://cy.cyware.com:443 "GET /soarapi/openapi/v1/test_connectivity/ 2024-02-29 14:00:58,411 INFO TR-ID: MSG: Api https://cy.cyware.com/soarapi/openapi/v1/test_connectivity/ GET - status_code: 200 TRACEBACK: 2024-02-29 14:00:58,411 [INFO] app_log: Api https://cy.cyware.com/soarapi/openapi/v1/test_connectivity/ GET - status_code: 200 2024-02-29 14:00:58,417 INFO TR-ID: MSG: Connection established! TRACEBACK: 2024-02-29 14:00:58,417 [INFO] app_log: Connection established!
You can look for
Connection EstablishedorPUT - status_code: 200to confirm the connectivity.Connection established! OR (ignore [...] below.. you want to look at the end of the line) app_log: Api https://[...]/orchestrate/abxd234-c4d5-4a3f-bb77-akdhbfiweb/ PUT - status_code: 200
The following are the common errors that analysts can encounter with Cyware Agent and their corresponding troubleshooting steps. These common errors can be found in the application.log or error.log files. For more information on the default location of application.log and error.log files, see Default Directories.
Connection Error or Timeout Error
These errors denote the connectivity issue of Cyware Agent with Orchestrate instance or the apps that are hosted on-premise.
To validate these errors on the Orchestrate platform:
Navigate to Admin Panel > Cyware Agent.
Select a required Cyware Agent and check the Last Polled Time and Schedule.
You can also check if your admin has received a Cyware Agent failure email notification.
Cause:
Incorrect configuration of proxy settings in the .env file
The open API to access the Orchestrate instance is expired.
Resolution:
Configure the proxy settings in the .env file. The default location of the .env file is /path/to/mount_directory/conf/.env.
Update the expiry date of the Open API used to access the Orchestrate instance. To update the expiry date of Open API, see Troubleshoot Cyware Agent Errors on Playbook.
Not able to import packages for appname_ appversion (Example: virus_total_1_0_0)
This error occurs when Cyware Agent is unable to connect to Cyware's pypi repository (https://packages.cyware.com/repository/pypi-group/simple/) that hosts all the required python modules.
Cause:
Incorrect value of PIP_PACKAGE_DOWNLOAD_PATH in the .env file.
Connectivity failure to access the value of PIP_PACKAGE_DOWNLOAD_PATH in the .env file.
Resolution:
Execute the following command that validates the connectivity of Cyware Agent with the value of PIP_PACKAGE_DOWNLOAD_PATH defined in the .env file.
curl <PIP_PACKAGE_DOWNLOAD_PATH>
Note
The default value of PIP_PACKAGE_DOWNLOAD_PATH is https://packages.cyware.com/repository/pypi-group/simple/.
Connection between Cyware Agent and Cyware Orchestrate failed due to certificate error
If you have installed Cyware Agent with a custom CA certificate, this error occurs when the certificate expires or is invalid.
Resolution:
Update the certificate on the Cyware Agent host system and restart Cyware Agent. To restart Cyware Agent, run the following command:
bash configure.sh MOUNT_DIRECTORY=<new-mount-directory> IMAGE=<image-url> DOCKER_NAME=<docker_name> MODE=restart
This section describes the troubleshooting commands that analysts can use to troubleshoot Cyware Agent-related issues.
To check the activation status of Cyware Agent, execute the following command. The output displays the list of running docker containers.
docker ps
You can remove an existing docker container and start a new docker container while upgrading Cyware Agent from 1.x version to Cyware Agent 2.0 version. To remove or start a specific docker container, execute the following command.
To remove a container:
docker container rm -f <Container_Name>
To start a container:
docker run --env-file=<Agent_Mount_Directory>/conf/.env -v <Agent_Mount_Directory>/apps:/app/integrations/apps --name <Container_Name> -d --restart unless-stopped <Image_Name> agent
If you need to modify the polling schedule configured during installation, do the following :
Navigate to the .env file.
Update the cron expression, and restart the docker container.
To modify the proxy settings:
Navigate to the .env file and update the http_proxy, https_proxy, or no_proxy settings.
Restart the docker container.
To manually poll the Cyware Agent for troubleshooting, execute the following command:
docker exec -it cyware_agent python /app/cyware_agent/lite_agent.py
Errors encountered for a Playbook node that is Cyware Agent compatible delays the process of Playbook execution. These errors may occur due to incorrect node configurations or network connectivity during Playbook creation or during its run time. It is important to analyze and fix these errors.
Cyware Agent related errors can occur in two situations:
During Playbook node configurations: Display errors while configuring a Playbook node that is compatible with Cyware Agent.
During Playbook execution: Displays errors related to Cyware Agent during Playbook execution.
Before you Start
Ensure that you have permission to View Cyware Agent Configuration, Create/Update Cyware Agent Configuration, View Cyware Agent Tasks, Create/Update Cyware Agent Tasks, and View Run Logs. For more information about the required permissions to view Cyware Agent and run logs, contact your Administrator.
Cyware Agent related errors during Playbook node configuration
You may encounter the following errors while performing Cyware Agent related configurations in a Playbook node.
App instance is not Cyware Agent enabled
Configured Cyware Agent is Inactive
Invalid configuration parameters for an app instance of a node
Open API to access app instance is expired
Open API to access Orchestrate instance is expired
App instance is not Cyware Agent enabled
Click Apps > My Apps.
Click the Cyware Agent compatible app, whose instance you need to make Cyware agent compatible.
Click the Instances tab.
Click the plus icon to create a new instance for a selected version.
Toggle the Agent Compatible button to enable it.
Note
If an app instance is already compatible with Cyware Agent, then you cannot disable it.
Enter the Agent ID or choose from the dropdown list. To view an agent ID, navigate to the Admin Panel > Cyware Agent and select a required Cyware Agent.
Configure the remaining fields and create a new instance.
Configured Cyware Agent is Inactive
If a Cyware Agent that is configured with an app instance is inactive, then you can perform the following steps to activate a required Cyware Agent.
To activate a Cyware Agent:
Navigate to the Admin Panel > Cyware Agent.
Select the required Cyware Agent from the list.
Click the toggle next to the Cyware Agent name to activate the Cyware Agent.
Invalid app configuration parameters of an app instance
While configuring an app instance to access the app hosted at on-premise location, you need to enter the valid app configuration parameters such as base URL, API key, and more to access the app instance. If you encounter an error related to the configuration parameters of an app, then you need to provide the valid credentials of the app instance. If you do not have access to the valid app configuration parameters, then contact your system administrator.
Open API to access app instance is expired
If the app instance that is used to access the app that is hosted at your on-premise location is expired, then you can observe 
icon next to the selected app instance under Edit Node. You can navigate to the app to update the expiration date of app instance or contact your system administrator.
Open API to access Orchestrate instance is expired
If an Open API that is used to access Orchestrate from an on-premise location is expired, then you can update the expiration date of Open API through Open API in Admin Panel.
To update the expiration date of the Open API associated with Cyware Agent:
Click Admin Panel > Open API.
Select the required Open API from the list.
Go to Open API and click View Details.
Navigate to the Expiration Date field and select the expiration date of Open API.
Click Update.